IPSEC Working Group S.Bitan,RADGUARD Internet Draft D.Frommer,RADGUARD August 1997 The Use of DES-MAC within ESP and AH Status of This Memo This document is a submission to the IETF Internet Protocol Security (IPSEC) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@tis.com) or to the authors. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts draft documents are valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Abstract This draft describes the use of the DES-MAC algorithm [Kaufman95] as an authentication mechanism within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. DES-MAC[Kaufman95] is based on the DES encryption algorithm [FIPS-46, FIPS-46-1, FIPS-74, FIPS-81]. Further information on the other components necessary for ESP and AH implementations is provided by [Thayer97a]. Internet Draft Page [1] Internet Draft DES-MAC Authenticator July 1997 Contents STATUS OF THIS MEMO .................................................1 ABSTRACT ............................................................1 1. INTRODUCTION .....................................................2 1.1 SPECIFICATION OF REQUIREMENTS .................................3 2. AUTHENTICATION ALGORITHM .........................................3 2.1 BLOCK SIZES AND PADDING ......................................3 2.2 PERFORMANCE ...................................................3 3. KEY SPECIFICATIONS ...............................................4 4. IV ...............................................................4 5. INTERACTION WITH THE ESP CIPHER MECHANISM ........................4 6. SECURITY CONSIDERATIONS ..........................................4 7. ACKNOWLEDGEMENTS ..................................................5 8. REFERENCES .......................................................5 9. AUTHORS INFORMATION ..............................................6 1. Introduction This draft describes the use of the DES-MAC algorithm to provide authenticity within the context of the Encapsulating Security Payload [ESP] and the Authentication Header [AH]. The goal of this auth-des- mac is to ensure that the packet is authentic and that it was not modified in transit. DES-MAC [Kaufman95] is based on the DES [FIPS-46, FIPS-46-1, FIPS- 74, FIPS-81] encryption algorithm. Given a secret key, the last output block of a DES-CBC encryption of a message is used as the output of the DES-MAC algorithm for this message. Hence, DES-MAC is a secret key authentication algorithm. Data authentication and data integrity provided by DES-MAC are dependent upon the scope of the distribution Bitan,Frommer Page [2] Internet Draft DES-MAC Authenticator July 1997 of the secret key. If only the source and the destination know the DES-MAC key, this provides data origin authentication and data integrity for packets sent between the two parties. If the outputs of the DES-MAC computed by the two parties are identical, this proves that it has been computed by the source, and that the packet was not modified in transit. IPSEC implementations for high bandwidth networks, might fail to supply the required performance without using hardware implementations of encryption and authentication algorithms. DES hardware implementations are popular and easy to find. Currently there exist only a few hardware implementations for the other authentication mechanisms that appear in the IPSEC drafts (HMAC-SHA-1 and HMAC-MD5). Hence, when high performance is a requirement, DES-MAC authenticator is preferable to HMAC-SHA-1 or HMAC-MD5. This document assumes the reader is familiar with the terms and concepts in [RFC-1825], in [ESP], and in [AH]. This document follows the IPsec document framework described in [Framework]. 1.1 Specification of Requirements Interpret the keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", and "MAY" that appear in this document as described in [RFC-2119]. 2. Authentication Algorithm DES-MAC algorithm is based on the DES encryption algorithm [FIPS-46, FIPS-46-1, FIPS-74, FIPS-81]. The Message Authentication Code (MAC) of a certain message is the last output block of the DES CBC encryption of the message. The authentication function properties of DES-MAC are derived from the encryption function properties of the DES algorithm. 2.1 Block sizes and Padding Like DES, DES-MAC is a block algorithm. It operates on input blocks of size 64 bits. Hence, its input must be padded to form a multiple of 64 bits blocks. When used in [ESP] the payload data must be padded, to make a block size of 64 bits. The padding should be done according to conventions specified in [ESP]. The output of the DES-MAC algorithm is 64 bits long. Hence, the authentication data size in both ESP and AH is 64 bits. 2.2 Performance The DES-MAC performance is identical to that of the DES encryption algorithm. The DES algorithm is designed to perform well using hardware implementations. Commonly available DES hardware is considerably faster than software implementations on popular Bitan,Frommer Page [3] Internet Draft DES-MAC Authenticator July 1997 processors. There are hardware implementation of DES operating in 100 Mbps[Schneier]. The use of hardware allows a level of parallelism between the CPU and the DES hardware, especially important in security gateway implementations. Phil Karn had tuned DES-CBC software to achieve 10.45 Mbps with a 90 MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. If DES-MAC is used in conjunction with DES-CBC cipher in ESP, the DES calculation of both integrity and confidentiality may be performed in parallel given the appropriate hardware. 3. Key Specifications Like DES-CBC, the key of DES-MAC is 64 bits long. Each byte has seven significant bits, the least significant bit is used as a parity bit. The keying material must be adjusted for parity as necessary. If the resulting key is a weak key, it must not be used. A list of DES weak and semi-weak keys can be found in [Schneier]. When used in ESP, in conjunction with the DES-CBC cipher, independent keys must be used for authentication and encryption (see [Kaufman95, p.91]). A Security Association using this transform must rekey within a lifetime of 2^32 bytes. 4. IV The DES-CBC algorithm requires an Initialization vector (IV). So does the DES-MAC algorithm. In this transform the IV is implicitly set to zero. A constant IV can be used, since the data in the ESP payload is encrypted, and in AH the replay protection guarantees that all the packets authenticated under the same SA are distinct. 5. Interaction with the ESP cipher mechanism When used in conjunction with the DES-CBC cipher, independent keys must be used [Kaufman95, p.91]. For performance reason, when hardware encryption and authentication is used, it might be wanted to use DES- CBC cipher and DES-MAC authenticator together in ESP. 6. Security considerations The strength of the DES-MAC transform relies of the strength of DES. The correctness of the specific DES implementation used. The correctness of the Security Association management, the key management and their implementations. The MAC produced by the DES-MAC algorithm is short relative to other authentication mechanisms. This fact makes it less resistant to various attacks. To overcome this problem, the Security Association and keys life time must be shorter. Bitan,Frommer Page [4] Internet Draft DES-MAC Authenticator July 1997 7. Acknowledgements Portions of this document are derived from draft-ietf-ipsec-auth-hmac- md5-99-00.txt, by C. Madson and R. Glenn. The IPsec document framework is described in draft-ietf-doc-roadmap- 00.txt. The authors would like to thank Rodney Thayer, Ed Russel and all the Detroit bake-off participants. 8. References [AH] S. Kent, R. Atkinson, "IP Authentication Header", work in progress, July 97. [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Protocol (ESP)", work in progress, July 1997. [FIPS-46] US National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46, January 1977. [FIPS-46-1] US National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46-1, January 1988. [FIPS-74] US National Bureau of Standards, "Guidelines for Implementing and Using the Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 74, April 1981. [FIPS-81] US National Bureau of Standards, "DES Modes of Operation", Federal Information Processing Standard (FIPS) Publication 81, December 1980. [Framework] The IP Security Document Roadmap, RFC-xxxx. [Kaufman95] Kaufman, C., Perlman, R. and Speciner, M., "Network Security: Private Communication in a Public World", PTR Prentice Hall, Englewood Cliffs, New Jersey, 1995. ISBN 0-13-061466-1 [RFC-2119] Bradner, S., "Key words for use in RFCs to indicate Requirement Levels", ftp://ds.internic.net/rfc/rfc2119.txt, March 1997 [Schneier] Schneier, B., "Applied Cryptography Second Edition", John Wiley & Sons, New York, NY, 1995. ISBN 0-471-12845-7 Bitan,Frommer Page [5] Internet Draft DES-MAC Authenticator July 1997 9. Authors Information Sara Bitan RADGUARD, Ltd. 24 Raoul-Wallenberg St. Tel Aviv 69719 Israel Telephone: +972-3-645-5378 Dan Frommer RADGUARD, Ltd. 24 Raoul-Wallenberg St. Tel Aviv 69719 Israel Telephone: +972-3-645-5396 Bitan,Frommer Page [6]